To update SSL certificates into iLO, you can refer to http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=c04530504 . You can use iLO hostname or IP address as a 'Common Name (CN)' while generating Certificate Signing Request (CSR). Use the same value as ilo_address while enrolling node to Bare Metal service to avoid SSL certificate validation errors related to hostname mismatch.

To update SSL certificates into iLO, you can refer to http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=c04530504 . You can use iLO hostname or IP address as a 'Common Name (CN)' while generating Certificate Signing Request (CSR). Use the same value as ilo_address while enrolling node to Bare Metal service to avoid SSL certificate validation errors related to hostname mismatch.

The iscsi_ilo and agent_ilo drivers provide security enhanced PXE-less deployment by using iLO virtual media to boot up the bare metal node. These drivers send management info through management channel and separates it from data channel which is used for deployment.

iscsi_ilo and agent_ilo drivers use deployment ramdisk built from diskimage-builder. The iscsi_ilo driver deploys from ironic conductor and supports both net-boot and local-boot of instance. agent_ilo deploys from bare metal node and supports both net-boot and local-boot of instance.

Prerequisites

proliantutils is a python package which contains a set of modules for managing HP ProLiant hardware. Install proliantutils module on the Ironic conductor node. Minimum version required is 2.1.5.

$ pip install "proliantutils>=2.1.5"

ipmitool command must be present on the service node(s) where ironic-conductor is running. On most Linux distributions, this is provided as part of the ipmitool package. Source code is available at http://ipmitool.sourceforge.net/.

Different Configuration for iLO Drivers

Configure Glance Image Service

1. Configure Glance image service with its storage backend as Swift. See [4]_ for configuration instructions.

2. Set a temp-url key for Glance user in Swift. For example, if you have configured Glance with user `glance-swift and tenant as service,then run the below command::

use_web_server_for_images: If the variable is set to false, iscsi_ilo and agent_ilo uses swift containers to host the intermediate floppy image and the boot ISO. If the variable is set to true, these drivers uses the local web server for hosting the intermediate files. The default value for use_web_server_for_images is False.

http_url: The value for this variable is prefixed with the generated intermediate files to generate a URL which is attached in the virtual media.

http_root: It is the directory location to which ironic conductor copies the intermediate floppy image and the boot ISO.

Note HTTPS is strongly recommended over HTTP web server configuration for security enhancement. The iscsi_ilo and agent_ilo will send the instance’s configdrive over an encrypted channel if web server is HTTPS enabled.

Enabling HTTPS in Swift

iLO drivers iscsi_ilo and agent_ilo use Swift for storing boot images and management information (information for Ironic conductor to provision bare metal hardware). By default, HTTPS is not enabled in Swift. HTTPS is required to encrypt all communication between Swift and Ironic conductor and Swift and bare metal (via Virtual Media). It can be enabled in one of the following ways:

Web server configuration for Standalone iLO Drivers

Set up the web server that serves the deploy ramdisks, outside of the ironic-conductor host. This web server should be accessible to the conductor nodes.

Upload the deploy ramdisk images such that the web server in above step can serve them properly.

Set up a web server on each conductor. This step is required only for agent_ilo and iscsi_ilo.

Images must be created (see :ref:`BuildingDibBasedDeployRamdisk`) and made available for download via HTTP(S) URL. This document does not describe the installation or configuration of HTTP(S) servers, however,

If using [i]PXE, then the network boot loader must be able to initiate a request to download the kernel and ramdisk images from "http_url", and the ironic-conductor must be able to write files to "http_root" that will be served from "http_url".

The deployment agent must be able to initiate a request to download the instance image from "http_url".

Requirements for Standalone iLO Drivers

Local web server on conductor - ilo driver uses web server on the conductor node to store temporary FAT images as well as boot ISO images. It needs to be configured on each conductor node.

HTTP(s) web server - When using ilo driver, the image containing the agent/deploy ramdisk is retrieved from HTTP(s) web server directly by iLO. This web server need not be on conductor node. For more information, see `HTTP(s) based Deploy`__.

See `Web server configuration for Standalone iLO Drivers`_

Configure Standalone iLO Drivers

1. Add http_url and http_root in the [deploy] section in /etc/ironic/ironic.conf. For example:

These determine how the web server on the conductor serves images. http_url is the URL prefix which is used for serving images. http_root is the path on disk that the web server is serving at http_url.

Requirements with Glance Image Service

Glance Image Service with Swift configured as its backend - When using ilo drivers, the image containing the agent/deploy ramdisk is retrieved from Swift directly by the iLO.

Drivers

iscsi_ilo driver

Overview

iscsi_ilo driver was introduced as an alternative to pxe_ipmitool and pxe_ipminative drivers for HP ProLiant servers. iscsi_ilo uses virtual media feature in iLO to boot up the bare metal node instead of using PXE or iPXE.

Target Users

Users who do not want to use PXE/TFTP protocol on their data centres.

Users who have concerns on PXE driver's security issues and want to have a security enhanced PXE-less deployment mechanism - The PXE driver passes management information in clear-text to the baremetal node. However, if Swift proxy server has an HTTPS endpoint (See Enabling HTTPS in Swift for more information), the iscsi_ilo driver provides enhanced security by passing management information to and from Swift endpoint over HTTPS. The management information and boot image will be retrieved over encrypted management network via iLO virtual media.

Tested Platforms

This driver should work on HP ProLiant Gen8 Servers and above with iLO 4.

It has been tested with the following servers:

ProLiant SL230s Gen8

ProLiant DL320e Gen8

ProLiant DL380e Gen8

ProLiant DL580e Gen8

ProLiant BL460c Gen8

ProLiant DL180 Gen9 UEFI

ProLiant DL360 Gen9 UEFI

ProLiant DL380 Gen9 UEFI

ProLiant BL460c Gen9

Features

PXE-less deployment with virtual media.

Automatic detection of current boot mode.

Automatic setting of the required boot mode if UEFI boot mode is requested by the nova flavor's extra spec.

Supports booting the instance from virtual media as well as booting locally from disk. Default is booting from virtual media.

UEFI Boot

UEFI Secure Boot

Passing management information via secure, encrypted management network (virtual media) if Swift proxy server has an HTTPS endpoint. See Enabling HTTPS in Swift for more info. Provisioning is done using iSCSI over data network, so this driver has the benefit of security enhancement with the same performance. It segregates management info from data channel.

Remote Console (based on IPMI)

HW Sensors

Works well for machines with resource constraints (lesser amount of memory).

Requirements

Swift Object Storage Service Or HTTP(s) web server on conductor - iLO driver uses either Swift/HTTP(s) web server on the conductor node to store temporary FAT images as well as boot ISO images.

Glance Image Service with Swift configured as its backend Or HTTP(s) web server - When using iscsi_ilo driver, the image containing the deploy ramdisk is retrieved from Swift/HTTP(s) web server directly by the iLO.

Deploy Process

Admin configures the Proliant baremetal node for iscsi_ilo driver. The Ironic node configured will have the ilo_deploy_iso property in its driver_info. This will contain the Glance UUID or HTTP(s) location of the ISO deploy ramdisk image.

Ironic gets a request to deploy a Glance/HTTP(s) image on the baremetal node.

iscsi_ilo driver powers off the baremetal node.

If ilo_deploy_iso is a Glance UUID, the driver generates a swift-temp-url for the deploy ramdisk image and attaches it as Virtual Media CDROM on the iLO. If ilo_deploy_iso is a HTTP(s) URL, the driver attaches it directly as Virtual Media CDROM on the iLO.

The driver creates a small FAT32 image containing parameters to the deploy ramdisk. This image is uploaded to Swift/HTTP(s) web server and its swift-temp-url/HTTP(s) URL is attached as Virtual Media Floppy on the iLO.

The driver sets the node to boot one-time from CDROM.

The driver powers on the baremetal node.

The deploy kernel/ramdisk is booted on the baremetal node. The ramdisk exposes the local disk over iSCSI and requests Ironic conductor to complete the deployment.

The driver on the Ironic conductor writes the glance/HTTP(s) image to the baremetal node's disk.

If local-boot is requested, Ironic conductor asks the deployment ramdisk to install the boot loader.

If it's a netboot (default), the driver bundles the boot kernel/ramdisk for the deploy image into an ISO and then uploads it to Swift/HTTP(s) web server. This ISO image will be used for booting the deployed instance.

The driver reboots the node.

For netboot, on the first and subsequent reboots iscsi_ilo driver attaches this boot ISO image in Swift/HTTP(s) as Virtual Media CDROM and then sets iLO to boot from it. If boot_option was set to local, then the instance is booted from disk.

Configuring and Enabling the driver

Note: The steps to create HTTP(s) web server and uploading the images to HTTP(s) web server is out-of-scope of Ironic.

1. Prepare an ISO deploy ramdisk image from diskimage-builder [3]_. This can be done by adding the iso element to the ramdisk-image-create command. This command creates the deploy kernel/ramdisk as well as a bootable ISO image containing the deploy kernel and ramdisk. The below command creates files named deploy-ramdisk.kernel,
deploy-ramdisk.initramfs and deploy-ramdisk.iso in the current working directory

console_port: (optional) Node's UDP port for console access. Any unused port on the Ironic conductor node may be used.

NOTE:
To update SSL certificates into iLO, you can refer to http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=c04530504 . You can use iLO hostname or IP address as a 'Common Name (CN)' while generating Certificate Signing Request (CSR). Use the same value as ilo_address while enrolling node to Bare Metal service to avoid SSL certificate validation errors related to hostname mismatch.

For example, you could run a similar command like below to enroll the ProLiant node:

Boot modes

When no boot mode setting is provided, iscsi_ilo driver preserves the current boot mode of the bare metal on the deployed instance.

A requirement of a specific boot mode may be provided by adding boot_mode:bios or boot_mode:uefi to capabilities property within the properties field of an Ironic node. iscsi_ilo driver will then deploy and configure the instance in the specified boot mode.

For example, to make a Proliant baremetal node boot always in UEFI mode, run the following command::

We recommend setting the boot_mode property on systems that support both UEFI and legacy modes if user wants facility in Nova to choose a baremetal node with appropriate boot mode. This is for Gen8 (ProLiant DL580 only) and Gen9 systems.

iscsi_ilo driver automatically sets boot mode from BIOS to UEFI, if the requested boot mode in nova boot is UEFI. However, users will need to pre-configure boot mode to Legacy on Gen8 (ProLiant DL580 only) and Gen9 servers if they want to deploy the node in legacy mode.

The automatic boot ISO creation for UEFI boot mode has been enabled in Kilo. The manual creation of boot ISO for UEFI boot mode is also supported. For the latter, the boot ISO for the deploy image needs to be built separately and the deploy image's boot_iso property in Glance should contain the Glance UUID of the boot ISO. For building boot ISO, add the iso element after adding the baremetal element while building disk images with diskimage-builder

disk-image-create ubuntu baremetal iso

From nova, specific boot mode may be requested by using the ComputeCapabilitesFilter. For example, it can be set in a flavor like below::

agent_ilo driver

Overview

agent_ilo driver was introduced as an alternative to agent_ipmitool and agent_ipminative drivers for HP Proliant servers. agent_ilo driver uses virtual media feature in HP Proliant baremetal servers to boot up the Ironic Python Agent (IPA) on the baremetal node instead of using PXE. For more information on IPA, refer https://wiki.openstack.org/wiki/Ironic-python-agent.

Target Users

Users who do not want to use PXE/TFTP protocol on their data centres.

Tested Platforms

This driver should work on HP Proliant Gen8 Servers and above with iLO 4.

It has been tested with the following servers:

ProLiant SL230s Gen8

ProLiant DL320e Gen8

ProLiant DL380e Gen8

ProLiant DL580e Gen8

ProLiant BL460c Gen8

ProLiant DL180 Gen9 UEFI

ProLiant DL360 Gen9 UEFI

ProLiant DL380 Gen9 UEFI

ProLiant BL460c Gen9

Features

PXE-less deploy with virtual media using Ironic Python Agent.

Remote Console

HW Sensors

Automatic detection of current boot mode.

Automatic setting of the required boot mode if UEFI boot mode is requested by the nova flavor's extra spec.

UEFI Boot

UEFI Secure Boot

IPA runs on the bare metal node and pulls the image directly from Swift.

Requirements

Swift Object Storage Service Or HTTP(s) web server on conductor - iLO driver uses either Swift/HTTP(s) web server on the conductor node to store temporary FAT images as well as boot ISO images.

Glance Image Service with Swift configured as its backend Or HTTP(s) web server - When using agent_ilo driver, the image containing the agent is retrieved from Swift/HTTP(s) web server directly by the iLO.

Deploy Process

Admin configures the Proliant baremetal node for agent_ilo driver. The Ironic node configured will have the ilo_deploy_iso property in its driver_info. This will contain the Glance UUID/HTTP(s) URL of the ISO deploy agent image containing the agent.

Ironic gets a request to deploy a Glance/HTTP(s) image on the baremetal node.

Driver powers off the baremetal node.

If ilo_deploy_iso is a Glance UUID, the driver generates a swift-temp-url for the deploy agent image and attaches it as Virtual Media CDROM on the iLO. If ilo_deploy_iso is a HTTP(s) URL, the driver attaches it directly as Virtual Media CDROM on the iLO.

Driver creates a small FAT32 image containing parameters to the agent ramdisk. This image is uploaded to Swift/HTTP(s) and its swift-temp-url/HTTP(s) URL is attached as Virtual Media Floppy on the iLO.

Driver sets the node to boot one-time from CDROM.

Driver powers on the baremetal node.

The deploy kernel/ramdisk containing the agent is booted on the baremetal node. The agent ramdisk talks to the Ironic conductor, downloads the image directly from Swift/HTTP(s) and writes the image to chosen disk on the node.

Driver sets the node to permanently boot from disk and then reboots the node.

Configuring and Enabling the driver

1. Prepare an ISO deploy Ironic Python Agent image containing the agent [5]_. This can be done by using the iso-image-create script found within the agent. The below set of commands will create a file ipa-ramdisk.iso in the below directory UPLOAD::

3. Configure Glance image service with its storage backend as Swift. See [4]_ for configuration instructions.
4. Set a temp-url key for Glance user in Swift. For example, if you have configured Glance with user glance-swift and tenant as service, then run the below command::

console_port: (optional) Node's UDP port for console access. Any unused port on the Ironic conductor node may be used.

NOTE:

To update SSL certificates into iLO, you can refer to http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=c04530504 . You can use iLO hostname or IP address as a 'Common Name (CN)' while generating Certificate Signing Request (CSR). Use the same value as ilo_address while enrolling node to Bare Metal service to avoid SSL certificate validation errors related to hostname mismatch.

For example, you could run a similar command like below to enroll the ProLiant node:

Boot modes

When no boot mode setting is provided, agent_ilo driver preserves the current boot mode on the deployed instance.

A requirement of a specific boot mode may be provided by adding boot_mode:bios or boot_mode:uefi to capabilities property within the properties field of an Ironic node. Then agent_ilo driver will deploy and configure the instance in the appropriate boot mode.

For example, to make a Proliant baremetal node boot in UEFI mode, run the following command::

We recommend setting the boot_mode property on systems that support both UEFI and legacy modes if user wants facility in Nova to choose a baremetal node with appropriate boot mode. This is for ProLiant DL580 Gen8 and Gen9 systems.

agent_ilo driver automatically set boot mode from BIOS to UEFI, if the requested boot mode in nova boot is UEFI. However, users will need to pre-configure boot mode to Legacy on Gen8 (ProLiant DL580 only) and Gen9 servers if they want to deploy the node in legacy mode.

From nova, specific boot mode may be requested by using the ComputeCapabilitesFilter. For example, it can be set in a flavor like below::

console_port: (optional) Node's UDP port for console access. Any unused port on the Ironic conductor node may be used.

NOTE:
To update SSL certificates into iLO, you can refer to http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=c04530504 . You can use iLO hostname or IP address as a 'Common Name (CN)' while generating Certificate Signing Request (CSR). Use the same value as ilo_address while enrolling node to Bare Metal service to avoid SSL certificate validation errors related to hostname mismatch.

For example, you could run a similar command like below to enroll the ProLiant node:

Boot modes

When no boot mode setting is provided, pxe_ilo driver preserves the current boot mode on the deployed instance.

A requirement of a specific boot mode may be provided by adding boot_mode:bios or boot_mode:uefi to capabilities property within the properties field of an Ironic node. Then pxe_ilo driver will deploy and configure the instance in the appropriate boot mode.::

We recommend setting the boot_mode property on systems that support both UEFI and legacy modes if user wants facility in Nova to choose a baremetal node with appropriate boot mode. This is for ProLiant DL580 Gen8 and Gen9 systems.

pxe_ilo driver automatically set boot mode from BIOS to UEFI, if the requested boot mode in nova boot is UEFI. However, users will need to pre-configure boot mode to Legacy on DL580 Gen8 and Gen9 servers if they want to deploy the node in legacy mode.

From nova, specific boot mode may be requested by using the ComputeCapabilitesFilter. For example, it can be set in a flavor like below::

If capabilities is used in extra_spec as above, Nova scheduler (ComputeCapabilitiesFilter) will match only Ironic
nodes which have the secure_boot set appropriately in properties/capabilities. It will filter out rest of the nodes.

The above facility for matching in Nova can be used in heterogeneous environments where there is a mix of machines
supporting and not supporting UEFI secure boot, and operator wants to provide a choice to the user regarding secure
boot. If the flavor doesn't contain secure_boot then Nova scheduler will not consider secure boot mode as a placement
criteria, hence user may get a secure boot capable machine that matches with user specified flavors but deployment
would not use its secure boot capability. Secure boot deploy would happen only when it is explicitly specified through
flavor

Use element ubuntu-signed or fedora to build signed ubuntu deploy iso and user images from diskimage-builder_. The below command creates files named deploy-ramdisk.kernel,
deploy-ramdisk.initramfs and deploy-ramdisk.iso in the current working directory

In UEFI secure boot, digitally signed bootloader should be able to validate digital signatures of kernel during boot process. This requires that the bootloader contains the digital signatures of the kernel. For iscsi_ilo driver, it is recommended that boot_iso property for user image contains the Glance UUID of the boot ISO. If boot_iso property is not updated in Glance for the user image, it would create the boot_iso using bootloader from the deploy iso. This boot_iso will be able to boot the user image in UEFI secure boot environment only if the bootloader is signed and can validate digital signatures of user image kernel.

For pxe_ilo driver, in case of deploy of partition image, ensure that the signed grub2 bootloader used during deploy can validate digital signature of the kernel in the instance partition image. If signed grub2 cannot validate kernel in the instance partition image, boot will fail for the same.

The above are just the examples of using the capabilities in nova flavor.

Enabling HTTPS in Swift

iLO drivers iscsi_ilo and agent_ilo use Swift for storing boot images and management information. By default, HTTPS is not enabled in Swift. HTTPS is required to encrypt all communication between Ironic Conductor and Swift proxy server, thereby preventing eavesdropping of network packets. It can be enabled in one of the following ways:

Node Cleaning Support

The following drivers support node cleaning:

pxe_ilo

iscsi_ilo

agent_ilo

Ironic provides two modes for node cleaning: automated and manual. Automated cleaning is automatically performed before the first workload has been assigned to a node and when hardware is recycled from one workload to another whereas Manual cleaning must be invoked by the operator.

Automated cleaning

Node automated cleaning is enabled by default. This setting can be changed in ironic.conf. (Prior to Mitaka, this option was named ‘clean_nodes’)

[conductor]
automated_clean=true

OR

[conductor]
automated_clean=false

Nodes are set to cleaning state in either of the following -

During deletion of an existing instance, i.e. when the node moves from ACTIVE -> AVAILABLE state

reset_bios_to_default: Resets system ROM / BIOS Settings to default. This clean step is supported only on Gen9 and above servers. By default, enabled with priority 10.

reset_secure_boot_keys_to_default: Resets secure boot keys to manufacturer’s defaults. This step is supported only on Gen9 and above servers. By default, enabled with priority 20.

reset_ilo_credential: Resets the iLO password, if ‘ilo_change_password’ is specified as part of node’s driver_info. By default, enabled with priority 30.

clear_secure_boot_keys: Clears all secure boot keys. This step is supported only on Gen9 and above servers. By default, this step is disabled.

reset_ilo: Resets the iLO. By default, this step is disabled.

Additionally, agent_ilo driver supports inband disk erase operation. You may also need to configure a Cleaning Network. To disable or change the priority of the particular automated clean step, respective configuration options to be updated in ironic.conf.

To disable a particular automated clean step, update the priority of step to 0. For more information on node automated cleaning, see Automated cleaning

Manual cleaning

When initiating a manual clean, the operator specifies the cleaning steps to be performed. Manual cleaning can only be performed when a node is in the MANAGEABLE state. Once the manual cleaning is finished, the node will be put in the MANAGEABLE state again.
Manual cleaning can only be performed when the REST API request to initiate it is available in API version 1.15 and higher. So, from command line you need to do:

Activates the iLO Advanced license. This is an out-of-band manual cleaning step associated with the management interface. Please note that this operation cannot be performed using virtual media based drivers like iscsi_ilo and agent_ilo as they need this type of advanced license already active to use virtual media to boot into to start cleaning operation. Virtual media is an advanced feature. If an advanced license is already active and the user wants to overwrite the current license key, for example in case of a multi-server activation key delivered with a flexible-quantity kit or after completing an Activation Key Agreement (AKA), then these drivers can still be used for executing this cleaning step.

Activating iLO Advanced license as manual clean step

iLO drivers can activate the iLO Advanced license key as a manual cleaning step. Any manual cleaning step can only be initiated when a node is in the MANAGEABLE state. Once the manual cleaning is finished, the node will be put in the MANAGEABLE state again. User can follow steps from Manual cleaning to initiate manual cleaning operation on a node. Refer the following in executing the iLO advanced license activation as a manual clean step via ironic client for the purpose of illustration:

Initiating firmware update as manual clean step

iLO drivers can invoke secure firmware update as a manual cleaning step. Any manual cleaning step can only be initiated when a node is in the MANAGEABLE state. Once the manual cleaning is finished, the node will be put in the MANAGEABLE state again. User can follow steps from Manual cleaning to initiate manual cleaning operation on a node. Refer the following in executing the iLO based firmware update as a manual clean step via ironic client for the purpose of illustration:

Note: This feature assumes that while using file url scheme the file path is on the conductor controlling the node.

Note: The swift url scheme assumes the swift account of the service project. The service project (tenant) is a special project created in the Keystone system designed for the use of the core OpenStack services. When Ironic makes use of Swift for storage purpose, the account is generally service and the container is generally ironic and ilo drivers use a container named ironic_ilo_container for their own purpose.

Note: While using firmware files with a .rpm extension, make sure the commands rpm2cpio and cpio are present on the conductor, as they are utilized to extract the firmware image from the package.

The firmware components that can be updated are: ilo, cpld, power_pic, bios and chassis.

The firmware images will be updated in the order given by the operator. If there is any error during processing of any of the given firmware images provided in the list, none of the firmware updates will occur. The processing error could happen during image download, image checksum verification or image extraction. The logic is to process each of the firmware files and update them on the devices only if all the files are processed successfully. If, during the update (uploading and flashing) process, an update fails, then the remaining updates, if any, in the list will be aborted. But it is recommended to triage and fix the failure and re-attempt the manual clean step update_firmware for the aborted firmware_images.

The devices for which the firmwares have been updated successfully would start functioning using their newly updated firmware.

As a troubleshooting guidance on the complete process, check Ironic conductor logs carefully to see if there are any firmware processing or update related errors which may help in root causing or gain an understanding of where things were left off or where things failed. You can then fix or work around and then try again. A common cause of update failure is HPE Secure Digital Signature check failure for the firmware image file.

To compute md5 checksum for your image file, user can use the following command:

$ md5sum image.rpm
66cdb090c80b71daa21a67f06ecd3f33 image.rpm

Instance Images

All iLO drivers support deployment of whole disk images. The whole disk images
could be one of following types:

1. BIOS only image. An image having only MBR partition and will boot only in BIOS boot mode.

2. UEFI only image. An image having GPT partition and will boot only in UEFI boot mode.

3. Hybrid image. An image that has GPT and MBR partition and will boot in both BIOS and UEFI boot mode.

4. Signed UEFI image. An UEFI image wherein bootloader and kernel are signed which could be used in UEFI secure boot environment.

Note : Config Drive feature of Ironic may not work on all the whole disk images, especially hybrid images wherein partition information may get lost when config drive partition is being created leading to failure during provisioning or instance may not boot.

Not all Linux distributions support hybrid images (single image that can boot in BIOS and UEFI boot mode). If the image can be booted only in a specific boot mode then user needs to add 'boot_mode' capability in nova flavor's extra_spec.
From nova, specific boot mode may be requested by using the ComputeCapabilitesFilter. For example:-

Known Issues

Deploy on Gen9 servers fails as iLO do not honour one time boot device settings and tries to boot from the persistent boot device.

It is caused due to a defect in BIOS System ROM. The fix for the same is available since firmware version 1.32_03-05-2015 13 May 2015 onward.

2

Smart Array SAS Driver v8.03

Fedora based IPA deploy ramdisk ISO fails to boot with error "error: can't allocate initrd" if the P220 based smart array controller is attached to the ProLiant server

It is a Fishman driver issue in firmware for P220 based smart arrays. The defect has been filed on Fishman firmware. The driver patch would be made available shortly.

3

iLO version 2.20

Deploy using any of the iLO drivers can fail on Gen9 servers with error in conductor logs as "Invalid Device Choice" while setting persistent boot device. This issue happens only when Gen9 servers are running with iLO firmware version 2.20

This issue is in iLO firmware wherein if RIBCL is used to update persistent boot devices in UEFI boot mode on Gen9 servers, it fails with error message mentioned above. This issue can be resolved by using one of the methods given below:-

A. Downgrading the iLO firmware version to 2.10 or upgrading it to version higher than 2.20

B. Upgrading python package 'proliantutils' to version greater or equal to 2.1.3, This issue has been fixed in 'proliantutils' by enhancing it to use HP REST interface to update persistent boot devices for Gen9 servers.

When SSL is enabled in OpenStack environment and images to be attached to iLO virtual media are based on 'https', iLO is unable to read/boot using such images.

iLO firmware version may not support the ciphers being enabled at the SSL server hosting the images. Please refer to iLO firmware documentation to ensure that the ciphers being used are supported http://h10032.www1.hp.com/ctg/Manual/c03334051. It is also recommended to refer to 'Release Notes' of iLO firmware version being used for more details.